Archive for July, 2011

When I pose the question above to people about the risk management experiences they have had in their organizations, they always say that it’s really more about risk elimination. These are typically larger organizations and risk management, done well, is a prudent and necessary activity. So why do they say “elimination?”

Definitions are adapted from Wikipedia.Risk management is the identification, assessment, and prioritization of risks (the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, project failures, production, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary or events of uncertain root-cause.

Sounds like pretty important stuff.

In essence, risk management is a process:

identify, characterize, and assess threats

assess the vulnerability of critical assets to specific threats

determine the risk (i.e. the expected consequences of specific types of attacks on specific assets)

identify ways to reduce those risks

prioritize risk reduction measures based on a strategy

In typical risk management, once risks have been identified and assessed, there are four basic techniques for managing the risk.

Avoid (eliminate, withdraw from or not become involved)

Reduce (optimize – mitigate)

Share (transfer – outsource or insure)

Retain (accept and budget)

I believe that what I and many others have experienced in “risk management” is actually an abbreviated two-step process:

Identify any risk/threat

Avoid it (eliminate, withdraw from or not become involved)

What is the effect of this approach on the larger organization? How does it impact performance, moral, commitment, engagement, or whatever measure you choose to use?

Incite: Perhaps the “Two-Step” Risk Management process itself is another risk that needs to be managed.